Security Incidents mailing list archives
RE: Logs showing GET /.hash=...
From: "James Williams" <jwilliams () mail wtamu edu>
Date: Fri, 2 May 2003 08:16:09 -0500
Here's the nbar configuration I use on our routers. <snip> ip cef ! class-map match-any p2p match protocol fasttrack match protocol gnutella match protocol napster match protocol httpurl "\.hash=*" match protocol httpurl "/.hash=*" match protocol kazaa2 ! ! policy-map p2p class p2p police cir 8000 bc 1500 be 1500 conform-action drop exceed-action drop interface FastEthernet0/0 (internal interface, or external) ip nbar protocol-discovery service-policy input p2p service-policy output p2p </snip> I would also recommend the Allot Communications NetEnforcer. I've tested 2 different versions, the AC202/10 and the AC302, on two different networks and it works great for all known p2p traffic. I'm hoping that our administration lets us buy one before to long. I was testing the AC302 on our dorm network and it cut 10 Megabits of traffic down below a Megabit, just by cutting p2p traffic down to 5Kbps. It works very well and it doesn't manipulate packets likes some other traffic shapers. James Williams Network Systems Operations West Texas A&M University -----Original Message----- From: Justin Pryzby [mailto:justinpryzby () users sourceforge net] Sent: Thursday, May 01, 2003 6:12 PM To: Jim Dueltgen Cc: incidents () securityfocus com Subject: Re: Logs showing GET /.hash=... Probably, "match protocol" is a regular expression where . means any character and \. is an escape sequence meaning a period. Justin Pryzby On Thu, May 01, 2003 at 01:27:00PM -0500, Jim Dueltgen wrote:
I've been working recently with Cisco's Network Based Application Recognition (NBAR) trying to keep Kazaa traffic under control in a multi-tenant installation and I've only ever found this snippet in the documentation: 2. KaZaA version 2 might use port 80 to get around the Firewall. You can control it be adding match protocol http url \.hash=* I'm not sure about the \ vs / as it shows in your logs and as one would expect to see in a URL but the above is what's in Cisco's documentation. My understanding is that the actual download of a file via kazaa v2 happens over port 80 in an attempt to get around passive packet filtering firewalls. Regards, Jim Dueltgen LMi.net At 9:54 AM -0400 4/30/03, Keith Bergen wrote:I have seen log entries in the form: dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 - 0400] 'GET /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c HTTP/1.1' 404 323 dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 - 0400] 'GET /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a HTTP/1.1' 404 323 dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 - 0400] 'GET /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969 HTTP/1.1' 404 323 I looked at past posts, and one indicates that this might be KaZaa traffic. The other post indicated it was 'WinMX'. Can somebody expand on this? For example, what is WinMX? Also, why would KaZaa connect to port 80? Thanks, Keith.-----------------------------------------------------------------------
-----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
world's premier event for IT and network security experts. The
two-day
Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register
today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents-----------------------------------------------------------------------
-----
------------------------------------------------------------------------ ----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
------------------------------------------------------------------------ ----
------------------------------------------------------------------------ ---- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Re: Logs showing GET /.hash=... Jim Dueltgen (May 01)
- <Possible follow-ups>
- Re: Logs showing GET /.hash=... Justin Pryzby (May 01)
- RE: Logs showing GET /.hash=... Arnold, Jamie (May 01)
- Re: Logs showing GET /.hash=... André Luís Quintaes Guimarães (May 02)
- RE: Logs showing GET /.hash=... James Williams (May 02)